Release Notes
0.3.0
New Features — optional hooks
Six new opt-in scanning surfaces, installed with prisma-airs-hooks install --optional <names|all> (default install is unchanged):
-
beforeShellExecution(can block) — scans shell command text astool_eventbefore execution; enforce-mode block denies the command. -
afterShellExecution(observe) — scans terminal output for DLP (leaked credentials, env dumps). -
beforeReadFile(can block) — DLP-scans full file contents before the Agent reads them into model context. -
beforeTabFileRead(can block) — same DLP gate for Tab inline completions; first AIRS coverage of the Tab surface. -
subagentStart(can block) — scans subagent task text for prompt injection before the subagent spawns. -
afterMCPExecution(observe) — scans MCP tool input + full result JSON after execution. -
MCP output sanitization — new
sanitize_mcp_outputconfig flag (defaultfalse): in enforce mode, postToolUse replaces flagged MCP tool output with a redaction notice via Cursor'supdated_mcp_tool_output, so flagged content never reaches the model.
Improvements
- Data-driven hook registry drives install/uninstall/verify scripts;
verify-hooksreports optional hooks without failing when absent. beforeShellExecution,afterShellExecution, andbeforeReadFilealso run in Cursor cloud agents, extending AIRS coverage there.
See Optional Hooks for details.
0.2.2
Fixes
PRISMA_AIRS_PROFILE_NAME— single env var to set the AIRS security profile for all scan directions (prompt, response, tool). Per-direction vars (PRISMA_AIRS_PROMPT_PROFILE,PRISMA_AIRS_RESPONSE_PROFILE,PRISMA_AIRS_TOOL_PROFILE) still work as overrides.session_id— all scans sendsession_id(<email>:<YYYY-MM-DD>) to Prisma AIRS, binding a user's prompts, responses, and tool calls into a single daily session.- Log path —
~inlogging.pathis now resolved to the home directory at runtime. Default template changed to~/.cursor/hooks/airs-scan.log.
0.2.0
Breaking Changes
- Environment variable rename: All
AIRS_*variables renamed toPRISMA_AIRS_*. See migration guide below.
New Features
beforeMCPExecutionhook — scans MCP tool inputs before execution via AIRStool_eventcontent type. Can block tool calls flagged for prompt injection, malicious parameters, etc.postToolUsehook — scans MCP, Shell, Write, and Edit tool outputs for DLP, malicious code, and other violations. Observe-only (audit and logging).- Per-direction profiles — new
profiles.toolfor MCP/tool scanning alongside existingprofiles.promptandprofiles.response. - Configurable content limits —
content_limits.max_scan_bytes(skip threshold, default 50KB) andcontent_limits.truncate_bytes(truncation, default 20KB) applied to all scan paths.
Migration
Replace in your shell profile:
AIRS_API_KEY→PRISMA_AIRS_API_KEYAIRS_API_ENDPOINT→PRISMA_AIRS_API_ENDPOINTAIRS_PROMPT_PROFILE/AIRS_RESPONSE_PROFILE→PRISMA_AIRS_PROFILE_NAME(single var for all directions, or use per-directionPRISMA_AIRS_PROMPT_PROFILE/PRISMA_AIRS_RESPONSE_PROFILE/PRISMA_AIRS_TOOL_PROFILEoverrides)
Then reinstall hooks: prisma-airs-hooks install --global
0.1.0 (2026-03-17)
Initial release.
Features
- Prompt scanning via
beforeSubmitPromptCursor hook - Response scanning via
afterAgentResponseCursor hook with code extraction - Three modes: observe, enforce, bypass
- Six detection services: prompt injection, DLP, toxicity, malicious code, URL categorization, custom topics
- Per-service enforcement: block, mask, or allow independently
- Fail-open design: never blocks on infrastructure failures
- Circuit breaker: automatic bypass after consecutive API failures
- DLP masking: replace sensitive content instead of blocking
- Code extraction: fenced, indented, and heuristic detection
- Structured logging: JSON Lines with automatic rotation at 10MB
- Stats CLI: scan totals, block rates, latency percentiles
- Global hook installation:
--globalflag for all Cursor workspaces - Precompiled JS: ~800ms cold start vs ~2.5s with tsx
- Environment variable defaults: only
AIRS_API_KEYrequired - 66 tests across 9 suites including compiled JS integration tests
Built On
@cdot65/prisma-airs-sdkfor AIRS API communication- TypeScript 5.x with strict mode
- Node.js 18+ (native fetch)
- Vitest for testing